[c-nsp] Bogon Filtering

Mark Newton newton at atdot.dotat.org
Mon Nov 21 08:04:56 EST 2005 

Skeeve Stevens wrote:

> This is going to be a long painful process getting ISP's out there to clean
> all this mess up.

This is, of course, partly Cisco's fault.  We often ran up against
folks using Cisco's AutoSecure feature earlier this year when we were
de-bogonifying a /17 APNIC allocation we'd been granted from 59/8.

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5207/products_field_notice09186a00803e13e9.shtml

Autosecure would have to be the single most stupifyingly crap feature
which has ever been implemented by Cisco (sure, I could be wrong -- should
we start a list?).  Among other things, it automatically applies a bogon
filter based on a set of hard-coded IANA-reserved prefixes.  So if the
IANA-reserved list which has been compiled into the software has changed
in the time between the release of the software and your use of AutoSecure,
you'll end up blocking between 1 and n perfectly legitimate live-on-the-
Internet /8 prefixes.

When we were given our 59/8 allocation, 59/8 had been released to
APNIC by IANA *eighteen entire months* earlier, yet it was still in
Cisco's AutoSecure-generated ACLs.

The IANA-reserved list changes so quickly these days that the hard-coded
list is inevitably obsolete by the time the software release which hosts
it has reached FCS.  Or, in other words, it is simply not possible for
Cisco to produce a software image which contains an AutoSecure implementation
which doesn't break your network.

Stupid, stupid Cisco.  What were they thinking?

Look at the URL above, in the Workarounds section for "Using SDM for
Option 2."  Is there the slightest hint in your wildest imaginings to
suggest that the kind of network admin who'd use a GUI to configure a
router would regularly go through that junk to keep their bogon filters
up-to-date?  Puh-lease.  The professionals who know what they're doing
at Cisco can't even keep their own compiled-in list up to date, so how
do they expect network admins who can't spell bogon but know how to
click the "Make Me Secure" button with a mouse to keep up?

Skeeve:  It took us about 9 months to clear this up completely.
We had an advisory on our website encouraging customers who couldn't
reach websites to open tickets to tell us about it, and we had people
on our helpdesk tasked full-time with going through those tickets,
identifying the ones which were caused by faulty bogon lists, and
contacting the relevent network admins to try to convince them that
their bogon lists were wrong.  Sometimes said network admins didn't
believe us, and suspected us of trying to change their firewall ACLs
by means of a social engineering attack (anyone whose job includes
router configuration who actually believes that is essentially
stealing their salary, by the way);  So those tickets would get
escalated up through our support system to people who could explain
the facts of life to people who didn't want to believe them.  I reckon
we had 2 or three full-time employee equivalents for 9 months solid
before the reports settled down to "background radiation" levels and
our customers stopped screaming about bits of the Internet not working.
So you have my sympathy, and wishes for the best of luck.

Note to Cisco:

The very existence of this feature is a bug.  Ordinarily Cisco goes
through a period of deprecation whenever they remove a feature, with
it becoming successively more difficult to enable with each new software
release.  I'd support simply nuking this AutoSecure functionality
summarily without warning, since it's broken by design and cannot
possibly ever become un-broken.  Make the router emit a "No, that's a
dumb idea," error message if the user tries to enter the config
commands which turn it on.  And provide a link to Team Cymru's
BGP bogon filter pages.  For extra credit, future versions of IOS could
regex-match against the startup-config and automatically delete any
ACLs called "autosec_iana_reserved_block" or "autosec_complete_bogon",
since they clearly have no right to be in the config in the first place.

(and if the SE at Cisco who implemented this is reading and feeling a
bit unloved by the fact that their hard work has provoked such a
strong, forthright airing of views here:  Get in touch, I want to send
you a bill for the time we wasted on chasing up network admins and
convincing them that their filters were broken. Pretty sure
Skeeve and Noel would love a quick email message too, along
with a several hundred people from all the orgs on the planet who have
been unlucky enough to have received the first few allocations from
each new /8 in recent years.  We're the ones cleaning up your mess,
and we're not happy about it...)


    - mark

--------------------------------------------------------------------
I tried an internal modem,                    newton at atdot.dotat.org
      but it hurt when I walked.                          Mark Newton
----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 -----

More information about the cisco-nsp mailing list